The level of protection applied to an information asset must be proportional to its value to the organization. The most accurate way to determine this value is by assessing the potential impact on business functions if the asset's confidentiality, integrity, or availability is compromised. This business-centric approach, often determined through a Business Impact Analysis (BIA), ensures that security resources are prioritized and allocated effectively to protect the assets most critical to the organization's mission and objectives. The greater the potential adverse impact on business functions, the higher the required level of protection.

A. Impact on information security program: The security program exists to support the business; therefore, the impact on the business is the primary driver, not the impact on the program itself.

B. Cost of controls: The cost of controls is a factor in risk treatment (cost-benefit analysis) but does not determine the required level of protection; the asset's value and business impact do.

D. Cost to replace: This only covers the tangible replacement cost and fails to account for intangible but often more significant impacts like reputational damage, regulatory fines, or operational downtime.

1. ISACA

CISM Review Manual

15th Edition (2022): In Chapter 2

Information Risk Management

the manual states

"The value of an asset is determined by its criticality to the business." (p. 83). It further explains that the Business Impact Analysis (BIA) "helps to identify and prioritize the information assets that are most critical to the business... The results of the BIA are used to guide the selection of risk mitigation strategies and controls." (p. 88). This directly links the level of protection to the business impact.

2. National Institute of Standards and Technology (NIST) Special Publication 800-30

Revision 1

"Guide for Conducting Risk Assessments" (2012): Section 2.3.2

"Impact

" details that impact analysis involves assessing the magnitude of harm to an organization's "operations (i.e.

the mission

functions

image

or reputation)

assets

or individuals." This establishes a direct link between the impact on business functions/operations and the basis for risk decisions.

3. Posthumus

S.

& von Solms

R. (2004). "A framework for the governance of information security." Computers & Security

23(8)

638-646: This academic paper emphasizes that information security must be driven by business objectives. The framework proposed aligns security initiatives with business needs

reinforcing the principle that the impact on the business is the primary consideration for security decisions. (DOI: https://doi.org/10.1016/j.cose.2004.02.004).